Malicious Office (OLE) / .XLS — malware analysis report

Static analysis result for SHA-256 bb881851c401f186…

MALICIOUS

Office (OLE) / .XLS

57.0 KB Created: 2021-03-31 12:20:41
MD5: f6ed1fc605203ca75f5d3e4cdf9c8f4d SHA-1: 0c424cb3ed68823affe5f7163d18e00d47569c0e SHA-256: bb881851c401f18651d160438cc157a01d27640b081b7b8c909b222986948682
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1059.001 PowerShell T1105 Ingress Tool Transfer

The file contains both Excel 4.0 (XLM) and VBA macros, with the VBA macros explicitly calling the URLDownloadToFileA API. This indicates the primary function of the document is to download and execute a secondary payload from a remote source. The XLM macro sheet is present but appears to be minimal, suggesting the VBA macros are the primary execution mechanism. The specific URL is not directly visible in the provided script excerpts, but the intent to download is clear.

Heuristics 4

  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
  • Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN
    Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
xlm_macros.txt
e114e2363de023b4b32b11f42a83da5f571b8461b8b5cb817e1fcc58631b18a4		 xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 674 bytes
macros.bas
25d6a4a8ba00fcbb5f87313f4d6b9b5c6574e714f5e31b8395a3a735da650fa5		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 2854 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.